CN101393628B - Novel network safe transaction system and method - Google Patents

Novel network safe transaction system and method Download PDF

Info

Publication number
CN101393628B
CN101393628B CN2008102264738A CN200810226473A CN101393628B CN 101393628 B CN101393628 B CN 101393628B CN 2008102264738 A CN2008102264738 A CN 2008102264738A CN 200810226473 A CN200810226473 A CN 200810226473A CN 101393628 B CN101393628 B CN 101393628B
Authority
CN
China
Prior art keywords
session key
key
service end
information
safety devices
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2008102264738A
Other languages
Chinese (zh)
Other versions
CN101393628A (en
Inventor
陆舟
于华章
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Feitian Technologies Co Ltd
Original Assignee
Feitian Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Feitian Technologies Co Ltd filed Critical Feitian Technologies Co Ltd
Priority to CN2008102264738A priority Critical patent/CN101393628B/en
Publication of CN101393628A publication Critical patent/CN101393628A/en
Application granted granted Critical
Publication of CN101393628B publication Critical patent/CN101393628B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Storage Device Security (AREA)

Abstract

The information provides a novel internet secure transaction system and a method thereof. A client computer system and an e-currency system running on the client computer system serve as transfer systems and do not participate in interaction with key information; a safe and logic communication link is built between a service terminal and information safety equipment; and key information does not appear in the client computer system and the e-currency system in the clear form so that a user key can not be intercepted and utilized repeatedly by an attacker. In order to achieve the purpose of building the safe and logic communication link, the dynamic key technology is used in the invention, that is, in the process of internet transaction, keys used each time are different. Each time the internet transaction is conducted, the bank service terminal generates two new symmetrical keys which are encrypted and then transmitted to the information safety equipment. The information safety equipment decrypts the encrypted keys to obtain the key so as to conduct the encryption communication with the service terminal. Even if the key is intercepted by the attacker, the key can not be used next time, because the keys used each time are different.

Description

A kind of novel network safe transaction system and method
Technical field
The present invention relates to information security field, particularly a kind of novel network safe transaction system and method.
Background technology
Along with the network vigorous growth, Internet-based banking services also utilize computer and the computer network of fast development and the Internet that mechanics of communication is penetrated into global every nook and cranny, and up to the present, domestic most of banks have all released the Internet-based banking services of oneself.In the evolution of bank, the safety problem of online transaction also becomes the focus that people pay close attention on the net.
At present, the safety measure that most of banks take all is to the user USB to be provided Key, in the process of carrying out online transaction, adds the participation of USB Key.USB Key is a kind of hardware device of USB interface.Its built-in single-chip microcomputer or intelligent card chip has certain memory space, can store user's private key, utilizes the built-in key algorithm of USB Key to realize the authentication to user identity.Current stage; Safer in order to ensure online transaction; The built-in key algorithm of USB Key is to adopt asymmetric arithmetic mostly, and asymmetric arithmetic can generate pair of secret keys---PKI and private key, bank client end main frame send to USB Key after using public-key information being encrypted; USB Key re-uses private key information is deciphered, and protects the fail safe of customer transaction information with this.Wherein,, use any way all can't read in theory, therefore guaranteed the fail safe of authentification of user because private key for user is kept among the USB Key.
Also preserve digital certificate among the USB Key, digital certificate is a kind of authoritative electronic document.It provides a kind of mode of on Internet, verifying your identity, and its effect is similar to driver's driving license or the identity card in the daily life.It by one by the distribution of authoritative institution's----CA certificate mandate (Certificate Authority) center, people can be in the Internet contacts discern the other side's identity with it.In the verification process of digital certificate, certificate verification center (CA) guarantees for authenticating user identification as authority, just, reliable third party fully.
When the user carries out online transaction; Need earlier USB Key to be inserted USB interface; The user imports PIN code, in order to confirm the right to use of user to USB Key, then service end and digital certificate is verified; In order to affirmation user's the legal identity and the legitimacy of service end, confirm that correctly the back just can bring into use the built-in key of USB Key to carry out online transaction.
But, as long as digital certificate and private key leave in the computer medium, perhaps possibly be read into internal memory, so all be unsafe.If the user's computer victim is handled, the just very possible victim intercepting of user's digital certificate and key, the assailant can utilize these authorization informations to pretend to be the user to carry out illegal operation, causes user's economic loss.
In sum, the shortcoming of existing bank system of web is: the easy victim intercepting of user's key, the assailant possibly utilize the information of intercepting to pretend to be the user to carry out online transaction, can not prevent repeat attack.
Summary of the invention
Deficiency in view of prior art; The invention provides a kind of novel network safe transaction system and method; Client computer system and the Net silver system in this system of running on as the transfer system, are not participated in the mutual of key message, between service end and information safety devices, set up the logic communication link of safety; Key message does not appear in client computer system and the Net silver system with the plaintext form, to avoid intercepting of user key victim and recycling.In order to reach the purpose of setting up the security logic communication link, the present invention uses the dynamic key technology, and promptly on the net in the process of exchange, each key that uses is all different.When carrying out online transaction, the bank service end generates two new symmetric keys at every turn, sending information safety devices to after these two secret key encryptions, obtains key after the information safety devices deciphering and just can carry out encryption communication with service end.Because each key that uses is different, even the victim intercepting is not worried being falsely used by the people yet, concrete scheme is following.
A kind of novel network safe transaction system; It is characterized in that; Said system comprises: service end, client host and information safety devices, and said service end comprises digital certificate authentication module, safety control module, said safety control module comprises key generation unit, first memory cell, second memory cell, first arithmetic element; Said client host comprises transit module, PIN code checking supplementary module; Said information safety devices comprises PIN code authentication module, server side authentication module, intelligent key module, and secure communication module, said intelligent key module comprise the 3rd memory cell, the 4th memory cell, second arithmetic element.
In said service end,
Said digital certificate authentication module is used for said the 4th memory cell stored numbers certificate is carried out authentication;
Said safety control module is used for the encryption of said service end and said information safety devices session;
Said key generation unit is used to generate session key;
Said first memory cell is used to store the session key that said key generation unit generates;
Said second memory cell is used to store client public key;
Said first arithmetic element is used to accomplish the encryption and decryption operation.
In said client host,
Said transit module is used to accomplish instruction and the transmission work of information between said service end and the said information safety devices;
Said PIN code checking supplementary module is used for the auxiliary PIN code checking work of accomplishing said PIN code authentication module.
In said information safety devices,
Said PIN code authentication module is used to verify whether the user who holds said information safety devices is validated user;
Said service end authentication module is used to verify whether said service end is legal;
Said intelligent key module is used for said information safety devices and said service end is carried out session encryption;
Said secure communication module is used for the data communication between said information safety devices and the client host;
Said the 3rd memory cell is used to store digital certificate, customer information of user etc.;
Said the 4th memory cell is used to store the session key that said key generation unit generates;
Said second arithmetic element is used to accomplish the encryption and decryption operation.
Preferably, said intelligent key module is the Safety Design chip, and said Safety Design chip comprises intelligent card chip.
Preferably, said secure communication module is a usb interface module.
A kind of novel network safe transaction method comprises the steps:
Client host sends the consulting session key instruction to service end;
The algorithm that said service end utilization is provided with in advance generates first session key and second session key, and packing generates the session key bag;
Said service end sends to said client host with said session key bag, and said client host is transmitted said session key bag to said information safety devices, and from said session key bag, obtains said first session key;
Said information safety devices obtains said first session key and second session key from said session key bag;
Utilize said first session key to carry out enciphering/deciphering between said information safety devices, client host, the service end and communicate by letter, carry out online transaction with said second session key.
Preferably, said client host also comprised the process of checking PIN code and said service end and digital certificate authentication before service end is sent the consulting session key instruction, and concrete steps are:
Said information safety devices and said client host connect;
Whether the PIN code of said information safety devices checking user input is correct; If correct, then said service end and the mutual authentication of said information safety devices be the validity of digital certificate each other, if the digital certificate in said service end and the said information safety devices is all effective; Then said client host sends the consulting session key instruction to service end; Otherwise to the user prompt error message, then transaction stops EO to said information safety devices through said client host.
Preferably, if the digital certificate in said service end and the said information safety devices is all effective, then said client host and said service end exchange PKI each other.
Preferably, said first session key is used for carrying out enciphering/deciphering between said information safety devices and the said client host communicates by letter, and said second session key is used for carrying out enciphering/deciphering between said information safety devices and the said service end and communicates by letter.
Preferably; The process that generates said session key bag is: said service end uses said client public key that said first session key and second session key are encrypted; Use said service end private key that said first session key is encrypted, and use first session key that said client public key encrypts and second session key and said service end to use said first session key packing of said service end encrypted private key to generate said session key bag said service end.
Preferably; The process that generates said session key bag is: said service end uses said client public key that said first session key and second session key are encrypted; The symmetric key that uses said service end to be provided with is in advance encrypted said first session key, and uses first session key that said client public key encrypts and second session key and said service end to use said first session key packing of the symmetric key encryption that said service end inside is provided with in advance to generate said session key bag said service end.
Preferably; Generate said session key bag process can also for: said service end uses client public key that said first session key and second session key are encrypted, and said first session key that said use client public key is encrypted and second session key and said first session key packing of unencrypted generate said session key bag.
Preferably, the said information safety devices process of communicating by letter with the enciphering/deciphering of said client host, service end is following:
Said information safety devices is judged the receiving party; If said receiving party is a client host; Then said information safety devices use said first session key to the information that will send send to said client host after encrypting; If said receiving party is a service end; Then said information safety devices use said second session key to the information that will send carry out encrypting and transmitting and give said client host, the information of said client host after with said encryption is transmitted to said service end.
Preferably, said client host uses said first session key that the cipher-text information that receives is deciphered, and obtains cleartext information.
Preferably, said client host is handled the back to cleartext information and is used said first session key, returns to said information safety devices.
Preferably, said information safety devices information that said client host is returned is utilized said first session key to decipher and is obtained cleartext information.
Preferably, said service end utilizes said second session key that the cipher-text information that receives is deciphered, and obtains cleartext information.
Preferably, utilize said second session key to encrypt after said service end is handled information and send to said client host, the information of said client host after with said encryption is transmitted to said information safety devices.
Preferably, said information safety devices utilizes said second session key that the information that receives is deciphered and obtains cleartext information.
Preferably, if said service end is sent data communications requests to said information safety devices, then said service end utilizes said second session key that information is encrypted, and sends to said information safety devices through said client host transfer.
Preferably, said information safety devices is connected through USB interface with said client host, realizes data communication.
Compared with prior art, the invention has the beneficial effects as follows:
1) carries out online transaction at every turn use different keys, can prevent that the assailant from carrying out intercepting to user profile and reuse;
2) key is not kept in the information safety devices before each transaction, can prevent that artificial malice from reading in the information safety devices information and utilizing;
3) send in the process of key to information safety devices in service end, taked mode, make online transaction safer the session key transmission;
4) in the conversation procedure of service end and information safety devices, client host is as the transfer system all the time, does not reach any cleartext information, and the safety of Transaction Information is protected.
Description of drawings
Fig. 1 is a network safe transaction system block diagram in the specific embodiment of the invention;
Fig. 2 is a network safe transaction method flow diagram in the specific embodiment of the invention;
Fig. 3 is a PIN code checking flow chart in the specific embodiment of the invention;
Fig. 4 is an out of order keyboard representation intention in the specific embodiment of the invention;
Fig. 5 is consulting session key and a conversation procedure sketch map in the specific embodiment of the invention.
Embodiment
Below in conjunction with accompanying drawing and specific embodiment the present invention is described further, but not as to qualification of the present invention.
Embodiment 1
Present embodiment provides a kind of novel network safe transaction system; Comprise: service end 1, client host 2, USB Key3; Service end 1 comprises safety control module 11, digital certificate authentication module 12; Safety control module 11 comprises key generation unit 111, first memory cell 112, second memory cell 113, first arithmetic element 114; Client host 2 comprises transit module 21, PIN code aided verification module 22; USB Key3 comprises PIN code authentication module 31, server side authentication module 32, intelligent key module 33, secure communication module 34, and intelligent key module 33 comprises the 3rd memory cell 331, the 4th memory cell 332, second arithmetic element 333, referring to Fig. 1.
In service end 1
Safety control module 11 is used for service end 1 and carries out session encryption with USB Key3;
Digital certificate authentication module 12, whether be used for to ca authentication center authentication the 4th memory cell 331 stored numbers certificates legal;
Key generation unit 111 is used to generate the session key that carries out session between service end 1, client host 2 and the USB Key3;
First memory cell 112 is used for the session key that storage key generation unit 111 generates;
Second memory cell 113 is used to store client public key;
First arithmetic element 114 is used to accomplish the encryption and decryption computing;
In client host 2
Transit module 21 is used to accomplish the session transmission work between service end 1 and the USB Key3;
PIN code aided verification module 22 is used for the auxiliary PIN code checking work of accomplishing said PIN code authentication module;
In USB Key3
PIN code authentication module 31 is used to verify whether the user who holds USB Key3 is validated user;
Server side authentication module 32, whether be used for service for checking credentials end 1 legal;
Intelligent key module 33 is used for USB Key3 and service end 1 is carried out session encryption;
The 4th memory cell 331 is used to store information such as digital certificate, user profile;
The 5th memory cell 332 is used to store the session key that generation unit 111 generates;
Second arithmetic element 333 is used to carry out the encryption and decryption computing;
Secure communication module 34 is used for the data communication between USB Key3 and the client host 2.
Embodiment 2
Following examples provide a kind of method of safe online transaction.In the present embodiment, the USB Key of use is equipped with LCD.In the process of exchange of whole Net silver, comprise three steps: PIN code checking, certificate and service end are verified, key obtains and information interaction; In the process of exchange of whole Net silver; PIN code is tested, the checking of certificate and service end, key obtains and information interaction realizes in chronological order one by one; Referring to Fig. 2, concrete steps are following:
The PIN code proof procedure, referring to Fig. 3:
Step 301, USB Key and client host connect;
Step 302, client host are sent the instruction that requires the checking PIN code to USB Key;
Step 303, USB Key generates out of order keyboard table, and returns to client host;
In present embodiment step 303; The continuous keyboard table of the unrest that USB Key is generated is that the position of conventional keyboard is upset at random, and reconfiguring then is a keyboard, and disorderly continuous keyboard table is generated by USB Key at random; And each out of order keyboard table that generates is all different; (diagram is only represented a kind of situation that produces at random, does not represent all) as shown in Figure 4 done like this and can be played the effect that prevents repeat attack.Repeat attack just is meant that the assailant is when the user carries out internet bank trade; With the user related information intercepting; And use these information to pretend to be the client to carry out internet banking operation, in the present embodiment, each out of order keyboard table that uses is all different; Even the victim intercepting, the assailant can not use it.
Step 304, client host are utilized out of order keyboard table to generate a soft keyboard corresponding with out of order keyboard table and are shown;
Step 305, USB Key waits for and receives PIN code;
Step 306, the user is through client host input PIN code;
In present embodiment step 306, the input of PIN code is that step-by-step is carried out, PIN code of every input; Mouse pointer moved be put in the out of order keyboard table on the key bits corresponding; Confirm errorless after, press the acknowledgement key on the USB Key, accomplish the input of a PIN code; At this moment can demonstrate the value of the PIN code of being imported on the display screen of USB Key, input continued that finishes is imported the next bit PIN code as stated above.
Step 307, USB Key judges whether PIN code is imported and finishes, if input does not finish, then continues input, if input finishes, carry out step 308;
Step 308, whether USB Key verifies inside correct to the PIN code of being imported, and will verify that the result returns to client host;
Step 309 is that PIN code is correct if USB Key returns to the checking result of client host, and execution in step 310 is the PIN code mistake if USB Key returns to the checking result of client host, execution in step 311;
Step 310, user identity is legal, and client host and USB Key carry out the consulting session key instruction;
Step 311, user identity is illegal, end operation.
After the PIN code checking finished, the user who confirms to hold USB Key just can begin the digital certificate of Net silver service end and USB Key stored is verified for validated user.
Digital certificate and service end verification process:
Carry out in the process of information interaction at client host and service end, the present invention has taked to use the method for HTTPS communication.HTTPS (full name: Hypertext Transfer Protocol over Secure Socket Layer); Be to be the HTTP passage of target with safety; Its foundation for security is SSL; Be a kind of network transmission protocol, HTTPS is a URI scheme (an abstract identifier system), and sentence structure is http roughly the same: system.Be used for safe HTTP transfer of data.Https:URL shows that it has used HTTP, but there be a default port and an encryption/authentication layer (between HTTP and TCP) that is different from HTTP in HTTPS.The initial research and development of this system are undertaken by Netscape, and authentication and encipher communication method are provided, and it is widely used in the communication of security sensitive on the World Wide Web (WWW) now.The HTTPS agreement is taked service end and user identity two-way authentication.The server side authentication stage: client host sends a start information " Hello " so that begin a new session connection to service end; Service end determines whether that according to client's information needs generate new master key, and like needs, then service end will comprise when " Hello " of customer in response information and generate the required information of master key and send to the client; The client is according to the service end response message of receiving; Produce a master key, and pass to service end behind the public key encryption with service end, service end is recovered this master key; And return to information of client with the master key authentication, let the authenticated client service end with this.The authenticated client stage: before this; Service end has been passed through authenticated client, and this stage is mainly accomplished the authentication to the client, and certified service end is sent an enquirement and given the client; The client then returns the enquirement and its public-key cryptography behind (numeral) signature, thereby to service end authentication is provided.
Utilize the HTTPS communication, the Net silver system has accomplished task: one, the authentication of ca authentication center the validity of digital certificate in the USB Key, to confirm the legal of client identity; Two, the validity of service for checking credentials end is avoided client host because network attack etc. is former thereby insert the service end of pretending to be, the victim steal information of taking advantage of the occasion; Three, produce encrypted tunnel, realize the confidentiality of information interaction.
Key obtains and information interactive process:
After the authentication of accomplishing digital certificate and service end, just can begin consulting session key between service end and the USB Key, and carry out information exchange and carry out network bank business based with session key.Detailed process is following, referring to Fig. 5:
Step 501, client host are sent to service end and are obtained the session key instruction;
Step 502 after service end is received order, generates session key C_Key, S_Key, and wherein C_Key is the session key that client host and USB Key carry out communication, and S_Key is the session key that service end and USB Key carry out communication;
Step 503; Service end uses client public key C_PUB that C_Key, the S_Key that generates in the step 502 encrypted; Produce C_PUB (C_Key, S_Key); Service end uses service end private key S_PRV that C_Key is encrypted, and produces S_PRV (C_Key), and C_PUB (C_Key, S_Key) and S_PRV (C_Key) are packaged into a session key bag;
In present embodiment step 503; Can also be to use client public key C_PUB that C_Key, the S_Key that generates in the step 502 encrypted; Produce C_PUB (C_Key, S_Key); The symmetric key that service end uses its inside to pre-set is encrypted C_Key, and the C_Key of the symmetric key encryption that C_PUB (C_Key, S_Key) and use service end inside are pre-set is packaged into a session key bag.
In present embodiment step 503; Also can be to use client public key C_PUB that C_Key, the S_Key that generates in the step 502 encrypted; Produce C_PUB (C_Key, S_Key), again C_PUB (C_Key, S_Key) and C_Key are packaged into a session key bag;
Step 504, service end is sent the session key bag to client host;
Step 505, client host are handled the session key bag and are obtained C_PUB (C_Key, S_Key) and S_PRV (C_Key), the C_Key that preservation obtains after S_PRV (C_Key) is deciphered, and to USB Key forwarding C_PUB (C_Key, S_Key);
Step 506, USB Key deciphers C_PUB (C_Key, S_Key) and obtains C_Key, S_Key;
Step 507, USB Key upgrades C_Key, and preserves S_Key;
Step 508, USB Key just can carry out encryption communication after receiving C_Key, S_Key, and wherein C_Key is used for the encryption communication between client host and the USB Key, and S_Key is used for the encryption communication between service end and the USB Key;
Step 509 is judged the content of execution command, if carry out online account transfer operation; Then USB Key and service end are carried out encryption communication, and execution in step 510 reads the digital certificate instruction if carry out; Then USB Key and client host carry out encryption communication, execution in step 514;
In present embodiment step 509, only to transfer accounts operation on the net and read operation of digital certificate be that example explains that USBKey and service end, USB Key and client host carry out the process of encryption communication to carry out.
Step 510, USB Key obtains [date] to transaction data date signature Sign, USB Key uses S_Key to [date] SignEncrypt and obtain [[date] Sign] S_Key, and send to client host;
In present embodiment step 510, transaction data date is provided by client host, and client host uses C_Key that transaction data date is encrypted, and obtains [date] C_KeyAnd sending to USB Key, USB Key uses C_Key that [date] C_Key is deciphered and obtains date.
Step 511, client host is with [[date] Sign] S_KeyBe transmitted to service end;
Step 512, service end use S_Key to [[date] Sign] S_KeyDecipher and obtain [date] Sign
Step 513, server is to [date] SignSignature is verified, accomplishes the transmission of transaction data;
Step 514, client host are sent reading word certificate instruction read and are used C_Key that instruction read is encrypted, and obtain [read] C_Key, and send to
Step 515, USB Key uses C_key to [read] C_KeyDecipher and obtain instructing read;
Step 516, USB Key accomplishes instruction read operation, reading number certificate content certificate;
Step 517, USB Key uses C_Key that certificate is encrypted, and obtains [certificate] C_Key, and send to client host;
Step 518, client obtain [certificate] C_Key, use C_Key to decipher and obtain digital certificate content certificate.
In the present embodiment key acquisition process, each session key C_Key, S_Key that generates is different for service end, and doing like this is to carry out repeat attack for the key victim intercepting that prevents the user.
More than a kind of novel online transaction safety system provided by the present invention and method have been carried out detailed introduction; Used concrete example among this paper principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, the part that on embodiment and range of application, all can change, to sum up, this description should not be construed as limitation of the present invention.

Claims (19)

1. a novel network safe transaction system is characterized in that, said system comprises: service end, client host and information safety devices, wherein,
Said information safety devices comprises:
The PIN code authentication module is used to verify whether the user who holds said information safety devices is validated user;
The service end authentication module is used to verify whether said service end is legal;
Intelligent key module is used for said information safety devices and said service end is carried out session encryption;
The secure communication module is used for the data communication between said information safety devices and the client host;
The 3rd memory cell is used to store user's digital certificate, customer information;
The 4th memory cell is used to store the session key that said key generation unit generates;
Second arithmetic element is used to accomplish the encryption and decryption operation;
Said service end comprises:
The digital certificate authentication module is used for the 4th memory cell stored numbers certificate is carried out authentication;
Safety control module is used to accomplish the encryption of the session between said service end and the said information safety devices;
The key generation unit is used to generate session key;
First memory cell is used to store the session key that said key generation unit generates;
Second memory cell is used to store client public key;
First arithmetic element is used to accomplish the encryption and decryption operation;
Said client host comprises:
Transit module is used to accomplish instruction and the transmission work of information between said service end and the said information safety devices;
PIN code checking supplementary module is used for the auxiliary PIN code checking work of accomplishing said PIN code authentication module.
2. the system of claim 1 is characterized in that, said intelligent key module is the Safety Design chip, and said Safety Design chip comprises intelligent card chip.
3. the system of claim 1 is characterized in that, said secure communication module is a usb interface module.
4. a novel network safe transaction method comprises the steps:
Client host sends the consulting session key instruction to service end;
The algorithm that said service end utilization is provided with in advance generates first session key and second session key, and packing generates the session key bag;
Said service end sends to said client host with said session key bag, and said client host is transmitted said session key bag to said information safety devices, and from said session key bag, obtains said first session key;
Said information safety devices obtains said first session key and second session key from said session key bag;
Utilize said first session key to carry out enciphering/deciphering between said information safety devices, client host, the service end and communicate by letter, carry out online transaction with said second session key.
5. method as claimed in claim 4 is characterized in that, said client host also comprised the process of checking PIN code and said service end and said digital certificate authentication before service end is sent the consulting session key instruction, and concrete steps are:
Said information safety devices and said client host connect;
Whether the PIN code of said information safety devices checking user input is correct; If correct, then said service end and the mutual authentication of said information safety devices be the validity of digital certificate each other, if the digital certificate in said service end and the said information safety devices is all effective; Then said client host sends the consulting session key instruction to service end; Otherwise to the user prompt error message, then transaction stops EO to said information safety devices through said client host.
6. method as claimed in claim 5 is characterized in that, if the digital certificate in said service end and the said information safety devices is all effective, and then said client host and said service end exchange PKI each other.
7. method as claimed in claim 4; It is characterized in that; Said first session key is used for carrying out enciphering/deciphering between said information safety devices and the said client host communicates by letter, and said second session key is used for carrying out enciphering/deciphering between said information safety devices and the said service end and communicates by letter.
8. method as claimed in claim 4; It is characterized in that; The process that generates said session key bag is: said service end uses said client public key that said first session key and second session key are encrypted; Use said service end private key that said first session key is encrypted, and use first session key that said client public key encrypts and second session key and said service end to use said first session key packing of said service end encrypted private key to generate said session key bag said service end.
9. method as claimed in claim 4; It is characterized in that; The process that generates said session key bag is: said service end uses said client public key that said first session key and second session key are encrypted; The symmetric key that uses said service end to be provided with is in advance encrypted said first session key, and uses first session key that said client public key encrypts and second session key and said service end to use said first session key packing of the symmetric key encryption that said service end inside is provided with in advance to generate said session key bag said service end.
10. method as claimed in claim 4; It is characterized in that; Generate said session key bag process can also for: said service end uses client public key that said first session key and second session key are encrypted, and said first session key that said use client public key is encrypted and second session key and said first session key packing of unencrypted generate said session key bag.
11. method as claimed in claim 4 is characterized in that, said information safety devices is following with the process that the enciphering/deciphering of said client host, service end is communicated by letter:
Said information safety devices is judged the receiving party; If said receiving party is a client host; Then said information safety devices use said first session key to the information that will send send to said client host after encrypting; If said receiving party is a service end; Then said information safety devices use said second session key to the information that will send carry out encrypting and transmitting and give said client host, the information of said client host after with said encryption is transmitted to said service end.
12. method as claimed in claim 11 is characterized in that, said client host uses said first session key that the cipher-text information that receives is deciphered, and obtains cleartext information.
13. method as claimed in claim 12 is characterized in that, said client host is handled the back to cleartext information and is used said first session key, returns to said information safety devices.
14. method as claimed in claim 13 is characterized in that, the information that said information safety devices returns said client host is utilized said first session key to decipher and is obtained cleartext information.
15. method as claimed in claim 11 is characterized in that, said service end utilizes said second session key that the cipher-text information that receives is deciphered, and obtains cleartext information.
16. method as claimed in claim 15; It is characterized in that; Utilize said second session key to encrypt after said service end is handled information and send to said client host, the information of said client host after with said encryption is transmitted to said information safety devices.
17. method as claimed in claim 16 is characterized in that, said information safety devices utilizes said second session key that the information that receives is deciphered and obtains cleartext information.
18. method as claimed in claim 4; It is characterized in that; If said service end is sent data communications requests to said information safety devices, then said service end utilizes said second session key that information is encrypted, and sends to said information safety devices through said client host transfer.
19. method as claimed in claim 4 is characterized in that, said information safety devices is connected through USB interface with said client host, realizes data communication.
CN2008102264738A 2008-11-12 2008-11-12 Novel network safe transaction system and method Expired - Fee Related CN101393628B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2008102264738A CN101393628B (en) 2008-11-12 2008-11-12 Novel network safe transaction system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2008102264738A CN101393628B (en) 2008-11-12 2008-11-12 Novel network safe transaction system and method

Publications (2)

Publication Number Publication Date
CN101393628A CN101393628A (en) 2009-03-25
CN101393628B true CN101393628B (en) 2012-08-08

Family

ID=40493913

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2008102264738A Expired - Fee Related CN101393628B (en) 2008-11-12 2008-11-12 Novel network safe transaction system and method

Country Status (1)

Country Link
CN (1) CN101393628B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106961446A (en) * 2017-05-08 2017-07-18 浙江敢尚网络科技有限公司 A kind of online transaction system and method

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101645890B (en) * 2009-08-06 2012-08-08 飞天诚信科技股份有限公司 Method, system and corresponding equipment for verifying information source integrality
CN101848088A (en) * 2009-12-28 2010-09-29 北京海泰方圆科技有限公司 System for submitting personal identification codes by using cipher algorithm
CN103139163B (en) * 2011-11-29 2016-01-13 阿里巴巴集团控股有限公司 Data access method, server and terminal
CN102546601B (en) * 2011-12-19 2015-09-02 广州杰赛科技股份有限公司 The servicing unit of cloud computing terminal for accessing virtual machine
CN102571349B (en) * 2011-12-29 2015-02-11 北京握奇数据系统有限公司 Information updating method for smart key, smart key and system
CN102609842B (en) * 2012-01-19 2016-02-24 上海海基业高科技有限公司 A kind of payment cipher device based on hardware signature equipment and application process thereof
CN102752311B (en) * 2012-07-16 2016-04-06 天地融科技股份有限公司 A kind of authentication method, system and device
CN103051459B (en) * 2013-01-17 2016-04-06 北京印天网真科技有限公司 The management method of the transaction key of safety card and device
CN103457939B (en) * 2013-08-19 2016-04-06 飞天诚信科技股份有限公司 A kind of method realizing bidirectional authentication of smart secret key equipment
CN103795807B (en) * 2014-02-28 2017-08-01 徐刚 Task data processing method, apparatus and system based on P2P networks
CN104243162B (en) * 2014-08-19 2018-03-20 天地融科技股份有限公司 A kind of information interacting method, system and intelligent cipher key equipment
CN104243451B (en) * 2014-08-19 2018-04-13 天地融科技股份有限公司 A kind of information interacting method, system and intelligent cipher key equipment
CN105553662B (en) * 2014-10-29 2019-01-08 航天信息股份有限公司 Dynamic digital copyright protection method and system based on id password
CN108200014B (en) * 2017-12-18 2020-10-09 北京深思数盾科技股份有限公司 Method, device and system for accessing server by using intelligent key device
US10326797B1 (en) * 2018-10-03 2019-06-18 Clover Network, Inc Provisioning a secure connection using a pre-shared key

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106961446A (en) * 2017-05-08 2017-07-18 浙江敢尚网络科技有限公司 A kind of online transaction system and method

Also Published As

Publication number Publication date
CN101393628A (en) 2009-03-25

Similar Documents

Publication Publication Date Title
CN101393628B (en) Novel network safe transaction system and method
CN111083131B (en) Lightweight identity authentication method for power Internet of things sensing terminal
CN108270571B (en) Internet of Things identity authorization system and its method based on block chain
CN101789934B (en) Method and system for online security trading
CN101421968B (en) Authentication system for networked computer applications
CN101547095B (en) Application service management system and management method based on digital certificate
CN102075522B (en) Secure certification and transaction method with combination of digital certificate and one-time password
US6189098B1 (en) Client/server protocol for proving authenticity
CN103020825B (en) A kind of secure payment authentication method based on software client
US20060280297A1 (en) Cipher communication system using device authentication keys
CN101631305B (en) Encryption method and system
EP1277299A1 (en) Method for securing communications between a terminal and an additional user equipment
CN101216923A (en) A system and method to enhance the data security of e-bank dealings
CN103036681B (en) A kind of password safety keyboard device and system
US20160006566A1 (en) Reading of an attribute from an id token
CN101770619A (en) Multiple-factor authentication method for online payment and authentication system
CN107135070A (en) Method for implanting, framework and the system of RSA key pair and certificate
CN111917543B (en) User access cloud platform security access authentication system and application method thereof
CN101547097B (en) Digital media management system and management method based on digital certificate
CN113364597A (en) Privacy information proving method and system based on block chain
US20190007218A1 (en) Second dynamic authentication of an electronic signature using a secure hardware module
CN107135081A (en) A kind of double certificate CA systems and its implementation
KR20000024445A (en) User Authentication Algorithm Using Digital Signature and/or Wireless Digital Signature with a Portable Device
CN111539032B (en) Electronic signature application system resistant to quantum computing disruption and implementation method thereof
CN101521571A (en) Method for authenticating safety unit and server side of mobile hardware

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120808